x-^tD sT/\f. *. U.S. Environmental Protection Agency 20-P-0007 £ KM ro October 21,2019 . u.o. ciiviiuMiiiciiidi nuietu \ Office of Inspector General ® I At a Glance Why We Did This Project The Office of Inspector General (OIG) for the U.S. Environmental Protection Agency (EPA) conducted this follow-up audit to determine whether the EPA completed actions for Recommendation 3 in prior OIG Report No. 17-P-0344. The recommendation required the EPA to maintain a list of contractors required to take role-based training (RBT) and validate that all contractors have completed RBT. We further sought to determine (1) whether EPA offices' fiscal year 2018 certifications were accurate and (2) what additional steps are needed to verify contractors' completion of RBT. RBT is continuous education that improves current knowledge, skills and abilities for a particular job function. This report addresses the following: • Operating efficiently and effectively. Management Alert: EPA Still Unable to Validate that Contractors Received Role-Based Training for Information Security Protection What We Found The EPA continues to lack information to monitor compliance with the following RBT requirements: • Confirming that contractor personnel completed the required RBT. • Including RBT provisions in existing information technology services contracts. • Maintaining a list of contractor personnel required to complete RBT. These weaknesses occurred because: The EPA has limited assurance that contractor personnel are maintaining skills needed to combat efforts to destroy, steal or hold for ransom the EPA's systems and sensitive information. • Most EPA offices did not validate that all contractors completed the required RBT. • EPA Contracting Officer's Representatives were unfamiliar with RBT requirements. • The EPA's directives did not explicitly designate who is responsible for maintaining a list of contractors required to complete RBT. As a result, only seven of 21 (33 percent) EPA offices submitted a complete response by September 30, 2018, to the EPA's Chief Information Security Officer certifying that contractors completed the required RBT. We are issuing this management alert on these weaknesses because immediate improvements are needed to verify that contractors are trained in their roles to protect agency systems and data. Recommendations and Planned Agency Corrective Actions Address inquiries to our public affairs office at (202) 566-2391 or OIG WEBCOMMENTS@epa.gov. List of OIG reports. We recommend the Assistant Administrator for Mission Support (1) validate that all EPA offices submit the annual RBT certifications, (2) train EPA Contracting Officer's Representatives on mandatory RBT requirements, (3) implement a plan to identify which existing information technology services contracts should include RBT requirements, and (4) require EPA offices to maintain a list of contractor personnel required to complete RBT. The EPA completed corrective actions for Recommendations 1 and 4. The agency agreed to Recommendations 2 and 3 but has not provided corrective actions or milestone dates. Recommendations 2 and 3 are therefore unresolved. ------- |